A Threat Hunter Himself

Teymur Kheirkhabarov Sergey Soldatov

BIO

• Head of SOC @Kaspersky Lab

• BMSTU graduate, CISA, CISSP

• Ex- Infosec dept. director

• Ex- Infosec admin

• Ex- software developer

• Ex- musician, sportsman

• SOC Analyst @Kaspersky Lab

• SibSAU (Krasnoyarsk) graduate

• Ex- Infosec dept. head

• Ex- Infosec admin

• Ex- System admin

Cyber threat hunting is the practice of searching iteratively through data to detect advanced threats that evade traditional security solutions

Threat hunting?

https://sqrrl.com/solutions/cyber-threat-hunting/

BUSINESS:

• Minimize residual risks

• Minimize time between attack and detection

TECH:

• Unknown [targeted] attacks detection

• Non-malware attacks detection

• TTP based detection

• “Time machine” for evidence analysis

What for?

Security

Tools

Monitoring

Hunting

Prevention

Threat

hunting

SOC

Alerting

Risks

Hunting vs. Alerting

SOC/Alerting

• Reactive

• Detect/forget

Hunting/Mining

• Proactive

• Repeated searches

TI IRAlerting

Hypotheses HuntingMA*

DF

Alerting IRTI

http://reply-to-all.blogspot.ru/2016/07/blog-post.html (RU)

* MA – malware analysis, DF – digital forensics, IR – incident response

[Big] data

• OS processes activities

• OS events

• Security tools

• Net perimeter

• …

Process/Procedure

• TI + all possible detection techniques

• Previous experience

• Situational awareness

• …

Human

• Able to produce and check hypothesis

• quick-witted

What is needed?

The Process: Theory

Level 1:“TI Farm”

Level 2:“Cases”

Objects(MD5, FQDN)

Objects behavior & IPC

(use tags from pervious level)

Tags/Labels

Suspicious objectsSuspicious systems

Raw events

Level 3:Analyst

Digital forensics (DF) Incident response (IR)

Malware analysis (MA)

IoC Feeds

AM detects

Behavior patterns

Whitelisting

Popularity

Similarity

SOC practice

Known attackers TTP (reports)

DF, IR practice

Security assessment

practice

Heuristics

Machine learning

Manual analysis

Sandbox

Scripts :)

What How More info

Process activities @endpoint

Sysinternals Sysmon https://technet.microsoft.com/en-us/sysinternals/sysmon

Autoruns Sysinternals Autorunsc https://technet.microsoft.com/ru-ru/sysinternals/bb963902.aspx

E-mail attachments MTA + Python + Yara https://github.com/Yara-Rules/rules

What’s inside?

Task How Link

Log shipping FilebeatWinlogbeat

https://www.elastic.co/products/beats/filebeat

https://www.elastic.co/products/beats/winlogbeat

Parsing, Processing, TI matching

Logstash https://www.elastic.co/products/logstashhttps://github.com/aptnotes/data

Storage Elasticsearch https://www.elastic.co/products/elasticsearch

Search & Visualization Kibana https://www.elastic.co/products/kibana

Event Class ID Rate Importance

Process Create 1 Low-Medium Detect initial infection and malware child processes.

Process Terminate

2 Low-MediumUseful for forensic investigations. May be correlated with process creation events

Driver Load 6 Low Detect device drivers loading

Image Load 7High (use with filtration)

Detect DLL injection, unsinged DLL loading

File Creation Time Changed

2Medium-High (need to exclude browsers and archivers)

Detect anti-forensic activity (timestamp changed to cover tracks)

Network Connection

3High (use with filtration)

Identify network activity, connection to malware C&C servers, connection to ransomware server to download encryption keys

CreateRemoteThread

8 Low-Medium Detect code injections used by malwareCredential theft tools (i.e. mimikatz, WCE) also use this technique to inject their code into the LSASS process

Process

accessed10

High (use with filtration)

RawAccessRead 9 Low Detect dropping off SAM or NTDS.DIT from compromised hosts

Data: sysmon events

Data: sysmon events

• autorunsc – a * -ct –h –m –s –nobanner

/accepteula

• –v –vt – if VirusTotal detects matter

• Simple Powershell script compares current autorunsc result with the previous one and writes text log

Data: autorunsc

• Python script:• Get email headers• Get attachments: name, size, MD5, file type

• Check Yara from https://github.com/Yara-Rules/rules (can be any)

• If attachment is archive: check if it password protected, inflate and repeat previous• Returns JSON output, example:{"source_arch_md5": "1788A5624790B6707241E45461443757", "file_name": "x64/mimilib.dll", "subject": "Fwd: \u0421\u0447\u0435\u0442 \u043d\u0430 \u043e\u043f\u043b\u0430\u0442\u0443", "x-virus-scanned": "", "yara_matches": ["mimikatz"], "file_size": 32256, "date": "Sun, 13 Nov 2016 20:56:11 +0300", "cc": [], "MD5": "7DF94A9513983F9324C630C98B2BACCD", "from": "victim@test.local", "file_type": "PE32+ executable (DLL) (console) x86-64, for MS Windows", "yara_check_date": "2016-11-13T16:46:41.788812", "user-agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101\n Thunderbird/45.4.0", "to": ["victim2@test.local"], "ip": ["172.16.205.139"], "message-id": "<dfea49de-290a-52f5-14f6-1b1dbe5d5454@test.local>", "x-mailer": "", "mime_type": "application/x-dosexec"}

Data: e-mail attachments

Data: files&URL from traffic, Dynamic analysis

• TODO:• Deploy BRO: url, file extractor

• Deploy Cuckoo sandbox

• Python script new ver.: url from e-mail

• Windows events: registry changes, file access, service install, task scheduling, power shell, ….

• Correlation engine: Exper

The Process: Practice

Autorunsc (filebeat)Sysmon (winlogbeat)

Endpoint

Python script (filebeat)Yara

MTA (Exim)

Index events

Logstash

RabbitMQ

Logstash

logstash-mail

logstash-autorunsc

logstash-windows

logstash-files

ElasticsearchUnique file aggregation

‘TI Farm’

Unique files aggregation index

Demo time!!!

• Excel with macros • downloads into memory and

execute sytem.ps1:• downloads meterpreter payload

into memory and run it

• Creates scheduled task “System inventory” persistence

Attacker creates excel downloader

Attacker starts reverse shell handler

Attacker sends, Victim receives

Super AV

Super AV

Post-exploitation

Analyst hypothesis start: inject into lsass

Who injected into lsass?

Who started lsass injector?

Who started lsass injector starter?

Check if explorer.exe compromised…

Search for powershell start

Who started powershell which started powershell which injected explorer.exe?

Who created scheduled task?

Who sent email? Any other affected?

• TH – the only effective way to counter customized threats

• TH – ‘must have’ process of security operations

• TH – can’t be fully automated

• TH – never-ending self-improving closed cycle via IR/DF/MA

• TH needs data & human-machine analysis

• TH can be done by yourself!

Outro\temp\<random1>.exe

injected Lsass.exe \syswow64\svch0st.exestarted \temp\<random1>.exe

\temp\<random2>.exe started \syswow64\svch0st.exe Exprorer.exe started

\temp\<random2>.exe

Compromised explorer.exe

powershell.exe inject into explorer.exe

Strange http to 66.66.66.66

powershell.exe started powershell.exeTeskscheduler started

powershell.exe

Powershell.exestarted schtasks.exe

Thunderbird.exe started excel.exe

started wmiprvse.exe started powershell.exe

• All configs: https://github.com/votadlos/ZN2016

Q&A

Thank you for your attention!